2) Trust subnet configured under admin account will impact data port Ping traffic as well (not only the admin login traffic). It will block Ping on the data port as well, even Ping is allowed, as long as the subnets are not in the Trust subnets range, ping will be dropped.

RFC 2597 defines the assured forwarding (AF) PHB and describes it as a means for a provider DS domain to offer different levels of forwarding assurances for IP packets received from a customer DS domain. The Assured Forwarding PHB guarantees a certain amount of bandwidth to an AF class and allows access to extra bandwidth, if available. There are four AF classes, AF1x through AF4x. Within each class, there are three drop probabilities. Depending on a given network's policy, packets can be selected for a PHB based on required throughput, delay, jitter, loss or according to priority of access to network services.
Classes 1 to 4 are referred to as AF classes. The following table illustrates the DSCP coding for specifying the AF class with the probability. Bits DS5, DS4 and DS3 define the class; bits DS2 and DS1 specify the drop probability; bit DS0 is always zero.

Thursday, January 19, 2012

The Avocent Cycaldes ACS console servers are great little units that run Linux and even give you full root console access. The root password is “tslinux” by default, but if it has been changed then you can boot the unit into single user mode by supplying the argument “single” to the Linux kernel selection during the boot process (make sure you put a space between the existing Kernel parameters and “single”) which will drop you to a root prompt.

On my unit, this line comes up as right at the start of the boot process:

Linux/PPC load: root=/dev/ram ramdisk=0x0001F000

So you would type ” single” (remember the space!) to give you:

Linux/PPC load: root=/dev/ram ramdisk=0x0001F000 single

Then just hit enter and the unit will boot up into single user mode and give you the root prompt.

At this point, if you want to restore the entire unit to the factory default settings which will erase all of the configuration, then just run “defconf” and then reboot the unit.

If you want to keep the existing configuration intact but just reset the password then you can just use the traditional Linux passwd tool to edit /etc/passwd:

Thursday, December 29, 2011

There are couple Adv options under the 802.1x authentication. Let's get some brief introduction. :)
1.
The difference between Normal EAP and AAA FastConnect (EAP-Offload) :

Normal EAP:

AAA FastConnect (EAP-Offload):

It is easy to understand and configure :

2. Machine Authentication :
when a Windows device boots, it logs onto the network domain using a machine account: host/<pc-name>.<domain>
You can configure 802.1x for both User and Machine Authentication.
Machine Authentication optional : it is under L2 Authentication .

This part is about configuring WPA or WPA2 and 802.1x on Aruba Controllers.
1. Configure the external auth-server or internal-db
2. Create a server group and assign the configured auth-server to it.
3. Create a dot1x profile and configure the required dot1x parameters (EAP-Offload, Key rotation, re-auth, etc)
4. Create a AAA profile and assign the dot1x profile and dot1x server-groups created in Step 2 and 3.
5. Create an AP Group and Virtual AP
6. Assign the AAA to the Virtual AP
7. Configure the SSID profile with the SSID and required operations mode and authentication (etc.) to use with dot1x... and other parameters.

802.1x Configuration Example WPA2-AES

Step 1 - Configure a Server :

Step 2 - Configure the Server Group : Create a Server Group and assign the server to it.

NOTE: Multiple servers are allowed. When "Fail Through" box is unchecked, if one server denied the auth, then no request sent to rest servers. When "Fail Through" box is checked, if one server denied the auth, the auth request will keep sending to rest servers. Furthermore, when using 802.1x authentication, Fail Through only works with AAA FastConnect enabled.

Step 3 - Configure the AAA Profile to use dot1x

Step 4 - Configure L2 dot1x Profile:

Step 5 Create an AP Group and Virtual AP:

Step 6 Assign the AAA Profile to the VAP

Step 7 Configure SSID to WPA2-AES

Note: 802.11i supports both TKIP and AES-CCM. 802.11i intends for users to ultimately take advantage of AES-CCM as it is better than other existing options. However, as mentioned in earlier slides, it generally requires a hardware upgrade for the wireless clients. Therefore, TKIP is available as an alternative to basic WEP to improve security without the neeed for a full-fledged hardware upgrade.

A better solution than PSK is to use dynamic keys. Here, dynamic keys are used to provide te greatest level of security.